The Dutch Data Protection Authority (DPA) has imposed a substantial fine of €290 million (approximately $324 million) on ride-hailing giant Uber for breaching the European Union’s General Data Protection Regulation (GDPR). The fine, announced on Monday, stems from Uber’s unauthorized transfer of European drivers’ personal data to U.S. servers, a move the DPA described as a “serious violation” of the stringent privacy laws governing data protection in the EU.
According to the DPA, Uber transferred sensitive information, including taxi licenses, location data, photos, payment details, identity documents, and in some cases, criminal and medical records of European drivers, to its U.S. headquarters without utilizing the necessary transfer tools to safeguard the data. This action, the regulator stated, failed to meet the GDPR’s requirements for ensuring the protection of personal data during cross-border transfers.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data concerning transfers to the U.S. That is very serious,” said Aleid Wolfsen, Chairman of the Dutch Data Protection Authority, in a statement.
The DPA emphasized that the data transfers, which took place over a period of two years, were conducted without adequate safeguards, thereby compromising the privacy and security of the drivers’ information.
Uber has responded to the fine by announcing its intention to appeal the decision. A spokesperson for the company labeled the fine as “completely unjustified” and criticized the DPA’s ruling as flawed.
“This flawed decision and extraordinary fine are completely unjustified,” the Uber spokesperson stated. “Uber’s cross-border data transfer process was compliant with GDPR during three years of immense uncertainty between the EU and the U.S. We will appeal and remain confident that common sense will prevail.”
The case highlights the ongoing challenges faced by multinational companies in navigating the complexities of data protection laws, particularly in the context of international data transfers between regions with differing privacy regulations. The outcome of Uber’s appeal could set a significant precedent for how such cases are handled in the future.
This fine adds to the growing list of penalties imposed on global tech companies for GDPR violations, underscoring the EU’s commitment to enforcing strict data protection standards.